July 18th, 9AM CST there is a 0-day exploit seen in the wild.  Possibly it has been going on for longer, but we saw it then.  A CVE has been submitted and we are awaiting the assigned of the ID.

Hackers apparently reverse engineered our code and found some bug which we had already fixed.  They are exploiting it for anyone who has not stayed current on new versions.

We believe this bug was in builds prior to July 1st time period roughly...the latest versions of CrushFTP already have the issue patched.  The attack vector was HTTP(S) for how they could exploit the server.  We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was.  Hackers apparently saw our code change, and figured out a way to exploit the prior bug.

As always we recommend regularly and frequent patching.  Anyone who had kept up to date was spared from this exploit.

Enterprise customers with a DMZ CrushFTP in front of their main are not affected by this.

!!Affected Versions:
All version 10 below 10.8.5.\\
All version 11 below 11.3.4_23.\\

!!If you were exploited:
restore a prior default user from your backup folder from before the exploit.  CrushFTP folder/backup/users/MainUsers/default.....

These zip files cannot be extracted with native windows unzip and you need winrar or macos or winzip etc to extract them.  You can also just delete your default user and CrushFTP will re-create it for you, but you won't have any prior customizations you might have done.

Restore it to your CrushFTP folder/users/MainUsers/default

!!Future mitigation techniques:
Limit IPs allowed for administration\\
Whitelist IPs that can connect to your server\\
Enterprise users use a DMZ Crush instance in front\\
Allow automatic and frequent patching\\


!!Compromise indicators:
Your default user has "last_logins" in it...this would not be normal.\\
The modified date on your default user.XML is recent...\\
Default user has admin access...\\